I was removed the LimitRanger admission plugin by edited the line --enable-admission-plugins= in kube-apiserver.yaml in /etc/kubernetes/manifests. Once saved the file,immediately the existing kupe-api pod kube-apiserver-master.k8s deleted and recreated automatically. Able to see the LimitRanger plugin is not listing in restarted kube-api server process
kube-apiserver --advertise-address=192.168.56.4 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --insecure-port=0 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6443 --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-cluster-ip-range=10.96.0.0/12 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
But now i have submitted a deployment without mentioning cpu,memory resource requests and limits as like below
kind: Deployment
apiVersion: apps/v1
metadata:
name: kubia-dep
spec:
replicas: 3
selector:
matchLabels:
app: dev
template:
metadata:
name: dep-spec
labels:
app: dev
spec:
containers:
- name: kubia-dep-cn
image: luksa/kubia:v2
[root@master manifests]# kubectl get po
NAME READY STATUS RESTARTS AGE
curl-custom-sa 2/2 Running 0 4d2h
kubia-dep-74cb8b894c-47m96 1/1 Running 0 14m
kubia-dep-74cb8b894c-gnzt8 1/1 Running 0 14m
kubia-dep-74cb8b894c-h26nv 1/1 Running 0 14m
But i'm seeing limitRanger plugin was applied by checking in kubectl describe po kubia-dep-74cb8b894c-47m96
Annotations: kubernetes.io/limit-ranger:
LimitRanger plugin set: cpu, memory request for container kubia-dep-cn; cpu, memory limit for container kubia-dep-cn
Containers:
kubia-dep-cn:
Container ID: docker://d151dc4b589f70359587ebd594d1e40cc8797ae0be25527cc2b0e92bd2c20303
Image: luksa/kubia:v3
Image ID: docker-pullable://docker.io/luksa/kubia@sha256:bcae4c20b355376d86bb34db0c9637a2e72058db5a66af82c868a2cfdcb0ac80
Port: <none>
Host Port: <none>
State: Running
Started: Tue, 26 Nov 2019 23:33:57 +0530
Ready: True
Restart Count: 0
Limits:
cpu: 200m
memory: 100Mi
Requests:
cpu: 100m
memory: 10Mi
So how LimitRanger plugin is enforced even after removed?Is there any additional steps we have to do for deforce this LimitRanger plugin? or removing directly from apiserver manifest file is not the proper way?
I was removed the LimitRanger admission plugin by edited the line --enable-admission-plugins= in kube-apiserver.yaml in /etc/kubernetes/manifests.
Have you tried --disable-admission-plugins ?
K8s documentation says that:
The Kubernetes API server flag
disable-admission-plugins
takes a comma-delimited list of admission control plugins to be disabled, even if they are in the list of plugins enabled by default.
kube-apiserver --disable-admission-plugins=PodNodeSelector,AlwaysDeny
To see which admission plugins are enabled:
kube-apiserver -h | grep enable-admission-plugins
In 1.16, plugins enabled by default are:
NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, RuntimeClass, ResourceQuota
Verify if a limitrange is active :
kubectl get limitranges
alse check if you have resourcequotas defined :
kubetcl get resourcequotas